When and How to Give Notices of a Data Breach in Your Company

With the rise of data cyber theft, many states have enacted laws requiring businesses to disclose data breaches.  You have probably heard about data breaches at the Office of Personnel Management, Ashley Madison, Army National Guard, Anthem, T-Mobile, and Target.  You may think that such data breaches only affect large businesses or agencies, but it can also happen to small businesses.

Most businesses we represent maintain client information which if divulged through a cyber attack would require a notice to those individuals under the California Data Breach Notification Law.  This could apply to real estate agents, title companies, dentists, doctors, attorneys, landlords, elder care facilities, and any kind of employer because of its employee records.

A report in 2014 from the California Attorney General determined that breach notifications, which have been required by California law since 2003, were not adequately warning individuals about the threat of data breaches.  The report found that “concerns about litigation risks may cause companies to draft notices in legalistic language that is less accessible” and therefore “Breach notices continue to be written at the college level, well above the average reading level for adults.”

This caused the California legislature to enact SB 570 and AB 964, effective as of January 1st of this year, to amend California’s Data Breach Notification Law and change the notification requirements businesses must send in the unfortunate event of a breach of unencrypted data.

Here’s a summary of the amended law.

Who is Covered?
Any person or business that conducts business in California that owns or licenses computerizes data which includes personal information.

What Information is Covered?
Personal information is defined as either:

1.     An individual’s first name or first initial and last name in combination with any one or more of the following data elements:

(A)    Social security number.
(B)    Driver’s license number or California identification card number.
(C)    Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D)    Medical information.
(E)    Health insurance information.
(F)    Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.

Or

2.    A user name or email address, in combination with a password or security question and answer that would permit access to an online account.

What is a Breach?
The amended law defines a data breach as an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.”

When is Notice Required?
Whenever you know or reasonably believe that such a data breach has occurred you are required to notify affected individuals of the breach “in the most expedient time possible and without unreasonable delay.”  Although the time requirement is not clear, the California Office of Privacy Protection recommends notifying affected individuals within ten business days after you have determined or reasonably believe there has been a data breach.  However, if a law enforcement agency determines that the notification would impede a criminal investigation, then the disclosure may be delayed until after the disclosure would no longer compromise the investigation.

What Kind of Notice is Required?
The new law requires the disclosures to use plain language and call attention to the nature and significance of the information contained in the notice.  The disclosures must be titled “Notice of Data Breach” and to contain information about the breach under the headings “What Happened,” “What Information Was Involved,” What We Are Doing,” What You Can Do,” and “For More Information.”

Civil Liability
The California Data Breach Notification Law does not specifically address criminal or civil penalties, but the California Attorney General has taken the position that a failure to comply with the statute is a violation of the California Unfair Competition statutes.  This could expose you to expensive litigation and civil penalties of $2,500 per violation.  These penalties can add up quickly as the violations are measured by the individual not by the data breach.

Safe Harbor
If your business’s data is encrypted then the disclosure requirement does not apply.  The legislature has defined “encrypted” as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”

Hopefully your company never experiences a data breach.  If it does, contact our firm for help in satisfying your statutory notification obligations.

We hope that you will find this Article helpful in your business. Please feel free to forward this Article on to anyone that you think may benefit from this information.  As always, if you have any questions about your business or any legal matter, please call us at (916) 966-2260 or email Matthew Kirkpatrick at mjkirkpatrick@bpelaw.com.

This article is not intended to be legal advice, and should not be taken as legal advice.  Every case requires review of specific facts and history, and a formal agreement for service.